Bassam Assiri

**Name of the Vulnerable Software and Affected Versions** Jaws versions 1.8.0 and earlier **Description** The issue allows remote authenticated administrators to execute arbitrary code via crafted use of "admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser" and "admin.php?reqGadget=FileBrowser&reqAction=Files" to upload a .php file. This is unrelated to the JAWS (aka Job Access With Speech) product. **Recommendations** For versions 1.8.0 and earlier, as a temporary workaround, consider disabling the use of the `admin.php` endpoint with `reqGadget` and `reqAction` parameters until a patch is available. Restrict access to the `FileBrowser` component to minimize the risk of exploitation. Avoid using the `comp` and `reqAction` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jaws versions 1.8.0 and earlier **Description** The issue allows remote authenticated administrators to execute arbitrary code via crafted use of `UploadTheme` to upload a theme ZIP archive containing a `.php` file that is able to execute OS commands. This is unrelated to the JAWS (aka Job Access With Speech) product. **Recommendations** For versions 1.8.0 and earlier, consider disabling the `UploadTheme` feature until a patch is available to prevent the upload of malicious theme ZIP archives. Restrict access to the theme upload functionality to minimize the risk of exploitation. Avoid using the `UploadTheme` feature to upload ZIP archives containing executable files until the issue is resolved.